WordPress Plugin Makes 1.7 Million Websites Vulnerable For Takeover

If your WordPress website has the newsletter plugin MailPoet installed, you may be granting hackers almost complete access to takeover your site.

Researchers warned the plugin with more than 1.7 million downloads exposed a serious security vulnerability that allowed attackers to remotely upload any file to the site without any necessary credentials.

“An attacker can exploit this vulnerability without having any privileges or accounts on the target site. This is a major threat meaning every single website using it is vulnerable,” said Daniel Cid, the security firm’s CTO.

Since its discovery, the vulnerability has been patched in a 2.6.7 version released on July 1, 2014. Researchers urge WordPress users running the MailPoet plugin to upgrade immediately.

MailPoet gives sites added abilities to create newsletters, as well as automatically post notifications and responses.

“This bug should be taken seriously,” warns Cid. “It gives a potential intruder the power to do anything he wants on his victim’s website.” The vulnerability allows for any PHP file to be uploaded, giving hackers the opportunity to use the website for phishing lures, spam, hosting malware, and infecting other customers on a shared server.

Cid noted the basics of the vulnerability is something all plugin developers should be mindful of, “the vulnerability resides in the fact that the developers assumed that WordPress’ ‘admin_init’ hooks were only called when an administrator user visited a page inside /wp-admin/. . . However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated.”

The research team discovered the flaw a few weeks ago and immediately disclosed the vulnerability to MailPoet, who worked quickly to release the plugin update.